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ABSTRACT 

This paper presents some first results on how to perform uni- 
form random walks (where every trace has the same proba- 
bility to occur) in very large models. The models considered 
here are described in a succinct way as a set of communi- 
cating reactive modules. The method relies upon techniques 
for counting and drawing uniformly at random words in reg- 
ular languages. Each module is considered as an automaton 
defining such a language, ft is shown how it is possible 
to combine local uniform drawings of traces, and to obtain 
some global uniform random sampling, without construction 
of the global model. 

Categories and Subject Descriptors 

D.2.4 [Software Engineering]: Software/Program Verifi- 
cation; D.2.5 [Software Engineering]: Testing and De- 
bugging 

Keywords 

model-based testing, random walk, modular models, model 
checking, randomised approximation scheme, uniform gen- 
eration 

1. INTRODUCTION 

Model based testing has received a lot of attention for 
years and is now a well established discipline (see for in- 
stance [271 0). Most approaches have focused on the de- 
terministic derivation from a finite model of some so-called 
checking sequence, or of some complete/exhaustive set of 
test sequences, that ensure conformance of the implementa- 
tion under test (IUT) with respect to the model. However, 
in very large models, such approaches are not practicable 
and some selection strategy must be applied to obtain tests 
of reasonable size. A popular selection criterion is transition 
coverage. Other selection methods rely upon the statement 
of some test purpose. 
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With the emergence of model checking, several sophisti- 
cated techniques for the representation and the treatment of 
models and formulas have been proposed and used for devel- 
oping powerful verification tools for large models. Among 
them, one can cite: symbolic model checking, partial-order 
reduction methods, reactive modules, symmetry reduction, 
hash compaction and bounded model checking. 

In this area, several authors have recently suggested the 
use of random walks in the state space of very large models 
in order to get good approximate checks in cases where ex- 
haustive check is too expensive |31l 1181 [Tol I30| . This is in 
the line of testing methods developed earlier in the area of 
communication protocols 33 28 26 9 . 

A random walk fjQ in the state space of a model is a se- 
quence of states so, si, ... , s„ such that Si is a state that 
is chosen uniformly at random among the successors of the 
state Si— i, for i = I , . . ., n. It is easy to implement and only 
requires local knowledge of the model. In |33) West reported 
experiments where random walk methods had good and sta- 
ble error detection power. In |28) . Mihail and Papadimitriou 
identified some class of models that can be efficiently tested 
by random walk exploration: the random walk converges to 
the uniform distribution over the state space in polynomial 
time with respect to the size of the model. These were first 
evidence of the interest of such approaches for dealing with 
special classes of large models. 

However, as noted by Sivaraj and Gopalakrishnan in |31|. 
random walk methods have some drawbacks. In case of ir- 
regular topology of the underlying transition graph, uniform 
choice of the next state is far from being optimal from a cov- 
erage point of view (see Figure 0. Moreover, for the same 
reason, it is generally not possible to get any estimation 
of the test coverage obtained after one or several random 
walks: it would require some complex global analysis of the 
topology of the model. One way to overcome these prob- 
lems has been proposed by Gouraud et al. for program 
testing in 111) . It relies upon techniques for counting 
and drawing uniformly at random combinatorial structures. 
Two major approaches have been developed for dealing with 
these problems: The Markov Chain Monte-Carlo approach 
(see e.g. the survey by Jerrum and Sinclair )22|~) and the 
so-called recursive method, as described by Flajolet et al. 
in p 1 4 1 and implemented in |32|. Although the former is 
more general in its applications, we chose to work with the 
latter because it is particularly efficient for generating the 
kind of random walks we deal with. The idea in [151 111) is 
to give up the uniform choice of the next state and to bias 
this choice according to the number of elements (traces, or 




Classical random walk, length 3: 
P(a;c;d)=0.5 x 0,25 x 0.25 = 0.031 25 
P!b;e:f)=0.5 

Uniform random sampling of traces, length 2: 
P(a:c:d)=P(b;e:f)=0.1 



Figure 1: The case of irregular topology 



states, or transitions) reachable via each successor. Con- 
sidering the number of traces makes it possible to ensure a 
uniform probability on traces. Considering elements, such 
as states or transitions, makes it possible to maximise the 
minimum probability to reach such an element. 

For addressing very large models, it seems interesting to 
study how to combine this improved version of random walk 
with the representation techniques developed for struggling 
against combinatorial state explosions. In this paper we 
present some first results on how to uniformly sample traces 
in models described as a set of interacting transition sys- 
tems, using the so-called "reactive modules" notation. This 
language, defined by Alur and Henzinger in is used as 
input of the Mocha model checkers and its variants 

In the probabilistic model checking community, it is the 
input language of the PRISM [13 EH and APMC model 
checkers. It is similar to communicating extended state ma- 
chines, where transitions can be labelled by probabilities. 
We propose some way, inspired from for uniformly ran- 
dom sampling traces in systems described by reactive mod- 
ules, without constructing the global model. This method 
opens interesting perspectives for random model based test- 
ing, for model checking, and for simulation methods. 

The paper is organised in two parts. 

In Section 2, we first describe in 12. li the reactive modules 
notation; then, inl2~2l we show how to implement classical 
random walk in systems described by reactive modules; in 
2.3 we give an approximation of the detection power of such 
methods. 

In Section 3 we address the computation of probabilities 
for improving random walk by uniformly drawing traces in 
models given as a set of such modules: 3.1 and 3.2 recall 
some results on automata and on counting and drawing 
uniformly at random words of a given length, in regular lan- 
guages; we generalise these techniques to shuffles of such lan- 
guages; 3.3 and 3.4 deal with uniform generation of traces for 
systems described by reactive modules, without, and then 
with, synchronisation. 



2. RANDOM WALKS IN "REACTIVE MOD- 
ULES" 

Our approach is based on a rather classical kind of model 
in testing, namely transition systems where transitions are 
labelled by atomic actions of a given language Act. 

Definition 1. An action-labelled transition system 
(ALTS) is a structure M — (S,T, so, Act) where S is a set 
of states, so the initial state, TCSx Act x S a transition 
relation and Act a set of actions. 

In this paper we consider finite ALTS. Note that, with 
this definition, ALTS may be non deterministic: the tran- 
sition relation may associate several target states to a given 
state and a given action. 

2.1 Reactive Modules 

In this paper, we use the Reactive Modules language 3 
for describing ALTS. This language is used in the proba- 
bilistic model checking community for modeling programs 
and protocols as transition systems. Two model checkers 
are using a subset of it as input language: PRISM [241 129) 
and APMC 0. 

In this language, transition systems are represented by 
modules that can interact together. Each module is com- 
posed of local variables and guarded commands. The global 
state of the system is given by the local states (i.e. the val- 
ues of the local variables) of the modules. More precisely, 
at any moment the global state of the system is represented 
by a vector containing the values of all the variables of the 
system. A guarded command is a description of an atomic 
transition. It is written as 

[sync] guard -> actl + . . . + actk ; 

where guard is a propositional formula over the variables 
of the system and where each action (actl,...,actk) defines 
a new assignment of some local variables. The choice of the 
action to be activated is done non deterministically among 
those with a valid guard. 

Basically, to compute an execution of the whole system, 
the algorithm is the following (when there is no synchroniza- 
tion) : 

1. Choose non deterministically one of the modules. 

2. Check all the guards of the module, keep a list of the 
valid guards. 

3. If there is no valid guards, no action can be executed, 
then the execution is stopped (to avoid livelock situa- 
tion). 

4. Choose non deterministically among the valid guards, 
execute non deterministically one of the corresponding 
actions. 

5. Modify the local state, thus inducing a modification of 
the global state. 

6. Go to step 1. 

Moreover, one can see that there is a specific field in the 
guarded command: [sync] . This field is used to synchro- 
nize modules. By putting a synchronization between guards 
of different modules, we force the actions associated to the 



guards to be done together (this is a way to describe suc- 
cinctly a complex behaviour). Basically, we have to main- 
tain, together with the valid guards, the corresponding syn- 
chronisations. At the step 2 of the computation, a guard g 
synchronised by s in a module m is considered valid if and 
only if the guard is true and if there exists, in each module, 
at least one guard which is true and synchronised by s. If g 
is picked at the step 4, then in each module one of the ac- 
tions corresponding to one (choosen non deterministically) 
of the synchronised valid guard is executed together with 
the one of actions of g. 

In the following, we give an example of a simple Reactive 
Modules system composed of three modules. All the mod- 
ules act together via synchronization. The figure [5] summa- 
rizes the example. 

module timer 

t : [0. . 1] init 0; 

[tic] t=0 -> t'=l; 
[tac] t=l -> t'=0; 




stale1<1000 state2<1001 
module on_fiB module onjac 




lac 

mod Lie iimer 
Figure 2: Scheme of the example 



endmodule 

module on_tic 

statel : [0..1000] init 0; 

[tic] stateKlOOO -> statel ' = (statel+2) ; 
[tic] statel>=1000 -> statel '=0; 

endmodule 

module on_tac 

state2 : [1..1001] init 1; 

[tac] state2<1001 -> state2'=(state2+2) ; 
[tac] state2>=1001 -> state2'=l; 

endmodule 

We now explain quickly the short example. To compute 
executions of the model, one has to first pick one of the mod- 
ules, for instance module on_tic. Then the algorithm checks 
the valid guards. At the beginning, the variable statel is 
lower than 1000, so only the first guard is valid. We have 
to activate the first guard, but one can see that there is 
a synchronization on it: tic. So we have to made each 
module acting with the two others via a guard synchronised 
with tic. It means that the only valid execution is to ac- 
tivate the first guard of the timer and the module on_tic 
(there are no guards synchronised with tic in the third 
module). So the system starts from the initial state (0, 0, 1). 
It goes from global states of the form (0, statel, state2) to 
(1, statel + 2,state2), and from global states of the form 
(1, statel, state2) to (0, statel, state2 + 2). After a while, 
statel (resp. state2) is set to (resp. 1) and the system 
restart from the initial state (0, 0, 1). 

More informations about Reactive Modules can be found 
in the paper of Alur and Henzinger 0, that gives a full 
account of the semantics, and some correspondence between 



modules and transition systems. 

The Reactive Modules notation, makes it possible to de- 
scribe huge transitions systems via synchronised product 
(ED- in practice, this notation allows to manipulate large 
systems without being subject to the exponential blowup of 
the state space (for instance systems with more than 10 30 
states, see |18p. 

Most of the very large models come from the product of 
several times the same module. This is the case with clas- 
sical distributed algorithms f |17|1. real systems/protocols 

r pirruii2T| i. 

2.2 Classical random walks 

An execution path, or a trace in an ALTS, is a finite or 
infinite sequence a — (s»,ai, Sj+i) of transitions satisfying: 
for all i > 0, there exists 04 £ Act such that (s;, at, Si+i) 6 T. 

To perform a random walk in a ALTS M, it is sufficient to 
have a succinct representation of it, that we call diagrarriM, 
that allows to generate algorithmically, for any state s, the 
set of successors of s. An example of such a diagram is a 
set of reactive modules defining a large model M (as seen 
above). But OBDD or other representations of LTS satisfy 
this requirement. 

The size of such a diagram can be substantially lower than 
the size of the corresponding ALTS. Typically, for Reactive 
Modules, the size of diagrarriM is poly-logarithmic in the 
size of M. 

The following function Random Walk 1 uses such a suc- 
cinct representation to generate a random path of length k 
and to check if this path leads to the detection of some con- 
formance error. We make the simplifying assumption that 
there is a reliable verdict that detects an error when a fault 
is reached during the execution of the random walk by the 
implementation under test (IUT). 



x This classical algorithm actually defines a so-called "pre- 
set" random walk. For the distinction between preset and 
adaptive checking sequences see |27|. We give some hints on 
how to cope with adaptive random walks in the conclusion. 



Random Walk 
Input: diagramM,k 

Output: samples a path ir of length k and check 
conformance on n 

1. Generate a random path n — (so, -•-,«*:) 
such that for i = 0, . . . , k — 1, we choose 
uniformly Sj+i among the successors of Sj. 

2. Submit ir to the IUT. If ir detects some con- 
formance error then return 1 else 



A drawback of this approach is that we don't know the 
probability distribution that it induces on the paths of the 
model. However, it is possible to approximate the error de- 
tection probability using approximation techniques for count- 
ing problems |23|. 

2.3 Randomised approximation scheme 

Many enumeration and counting problems are known to 
be strongly intractable. For example, counting the number 
of elementary paths between two given nodes in the graph of 
a transition system is [tP-complete. We recall that jjP is the 
complexity class of functions associated with counting the 
numbers of solutions of NP decision problems. A classical 
method to break this complexity barrier is to approximate 
counting problems. 

We show that we can approximate the error detection 
probability with a simple randomised algorithm. A prob- 
ability problem is defined by giving as input a succinct rep- 
resentation of a transition system, a property x and as out- 
put the probability measure fi(x) of the measurable set of 
execution paths satisfying this property. We adapt the no- 
tion of randomised approximation scheme |23| to probability 
problems. 

Definition 2. A randomised approximation scheme for 
a probability problem [181 is a randomised algorithm A that 
takes an input x and a real number e > and produces a 
value A(x,e, S) such that for any x, e > 0, and S > 0: 

Pr(\A{x,e,5) - fi(x)\ < e) > 1-5. 

If the running time of A is polynomial in\x\, i and log(|), 
A is said to be fully polynomial. 

Let Pathsk(so) be the set of execution paths of origin so 
and of depth k. We generate random paths in the associated 
probabilistic space and compute a random variable A which 
approximates the error detection probability on the paths of 
depth k, Probt[error]. Consider now the random sampling 
algorithm QAA designed for the approximate computation 
of Probk[error]: 

Generic approximation algorithm QAA 

Input : diagraniM ,k,e,S 

Output: approximation of Probk[error] 

N := ln(§)/2 £ 2 

A:=0 

For i = 1 to N do 

A := A + Random Walk(dia(?ram J vf, k) 
Return A/N 

Our approximation will be correct with confidence {1 — 8) 
after a number N of samples polynomial in 1 and log j . 
This result is obtained by using Chernoff-Hoeffding bounds 
[2QJ on the tail of the distribution of a sum of independent 
random variables. 



Theorem 1. (see \2S$ ). The generic approximation algo- 
rithm QAA is a fully polynomial randomised approximation 
scheme for computing p — Probk[error] whenever p E]0, 1[. 

The property of existence of conformance error detection 
is monotone: if it is true for a finite path a, then it is also 
true for every infinite extension of this path. Let Prob[error] 
be the error detection probability in the probabilistic space 
associated to the set Paths(so) of infinite execution paths 
of origin so. Then the sequence (Probk[error]) converges 
to the limit Prob[error]. 

We can obtain a randomized approximation of Prob[error] 
by increasing k. 

Corollary 1. The fixed point algorithm defined by iter- 
ating the approximation algorithm QAA is a randomised ap- 
proximation scheme for the probability problem p = Prob[ifj] 
whenever p G]0, 1[. 

The main interest of this randomised approximation scheme 
is that it allows some quantification of the error detection 
power of a random walk without construction and analysis 
of the global system. 

3. IMPROVING RANDOM WALK COVER- 
AGE 

In this section we study how to improve random walk by 
changing the random choice of the successors in such a way 
that traces are uniformly distributed. After some prelimi- 
naries, we first address the case of systems described by a set 
of concurrent, non synchronised reactive modules, and then 
we consider the case where there is some synchronisation. In 
both cases, we analyse the (intractable) complexity of explic- 
itly building the product [S] of the models corresponding to 
the modules. Then we propose a much more efficient alter- 
native, based on the representation of the modules, hence 
without explicitely constructing the whole system. 

3.1 From reactive modules to automata 

We briefly recall that a finite state automaton A is denoted 
as a 5-tuple A = {X, Q, q°, F, A) where X is the alphabet, 
Q is the finite set of states, q° is the initial state, F is the 
set of final states and A : Q x X — > Q is the state transi- 
tion relation. A finite state automaton A defines a regular 
language L on the alphabet X. 

Let Mi, Mi, . . . M r be a set of reactive modules, each one 
standing for an ALTS. Each of the Mi's can be represented 
in a straightforward way by a finite-state automaton Ai — 
{Xi,Qi,q%,Fi,Ai) where 

• each state of Qi corresponds to a state of Mi, 

• any two different transitions are labelled by two dif- 
ferent letters of Xi (hence the cardinality of Xi equals 
the numbers of transitions in Ai), 2 

• all states are final states (hence Fi — Qi). 

• the Xi's are pairwise disjoint. 

Consequently, each of the ^4i's defines a regular language 
Li where each word is in one-to-one correspondence with a 
trace in the reactive module. 

2 This is just a way to identify transitions in order to use 
their numbers in the following developments. This has no 
consequence on the kind of model considered, deterministic 
or not. 



3.2 Combinatorial and algorithmic prelimi- 
naries 

3.2. 1 Automata and word counting 

Let L be a regular language and let i(n) be the number of 
words of L of length n. According to a well known result (see 
e.g. |13l Theorem 8.1]), there exist an integer Ni, a finite 
set of complex numbers u)\, u>2, ■ ■ ■ , w& an d a finite set of 
polynomials Ri(n), R2{n), . . ., Rk(n) such that 



n > JVi 



£{n 



j=i 



(1) 



The number Ni, as well as the uij's and the -Rj's, can be 
computed from an automaton of L, with an algorithm of 
polynomial complexity according to the size of the automa- 
ton. Technical details are given in Appendix 1. 

If the automaton of L statisfies certain conditions (see 
below), then there is an unique i such that \uii\ > \u>j\ for 
any j / i, and Ri(n) has degree zero, that is Ri(n) = C for 
any n, where C is a constant. Thus, if we define to = u>i, the 
following formula holds, asymptotically: 



£(n) ~ Ceo". 



(2) 



This gives a very good estimation of £(n) even for rather 
small n since, according to Formulas @ and Q, Cu> n /£(n) 
converges to 1 at an exponential rate. 

A simple sufficient condition for Formula to hold is: 
the automaton is aperiodic and strongly connected. An au- 
tomaton is aperiodic if, for any sufficiently large n, l(n) ^ 0. 
Now, as stated in Section 13.11 all the states of any au- 
tomaton which represents a reactive module are final states. 
Thus any automaton which represents a reactive module 
is aperiodic. Concerning strong connectivity, it is satisfied 
as soon as there is a reset. Moreover, it is a sufficient yet 
not mandatory condition. For instance, for satisfying For- 
mula in fact it suffices to have some unique biggest 
strongly-connected component in the automaton. Hence, 
most "natural" automata are such that this formula is sat- 
isfied. Note that in the sequel we use Formula (|5J for the 
automata corresponding to the component modules. 

3.2.2 Automata and word shuffling 

The shuffle of two words w, w' £ X* , denoted w lu w' is the 
set wiuiii = {wiw 1 ...Wm.w rn \wi,w i £ X*,m = ici...ii) m ,ii) = 
w' 1 ...w' m \. For example, abuicde = {abcde, acbde, acdbe, 
acdeb, cabde, cadbe, cadeb, cdabe, cdaeb, cdeab}. The shuf- 
fle operation is associative and commutative. It naturally 
generalises for languages: the shuffle of two languages L\ 
and 1/2 is the set 



L±wL 2 



u 



Wl LU W'2 



w 2 £L 2 



This easily generalises to any finite number r of languages. 
And the following property holds: the shuffle of a set of 
regular languages is a regular language. Indeed, let r > 
and let L\,Li, . . . ,L r be r regular languages. Let Ai = 
{Xi,Qi, q° , Fi, Ai) be an automaton of Li, for any 1 < i < 
r. Then the following finite state automaton recognises L: 
A= (X,Q,q ,F,A), where 

• X = Xi U X 2 U . . . U X r ; 



• Q = Qi x Q 2 x . . . x Q r ; 

• go = ■ • • ,<?°); 

• F = Fi x F 2 x . . . x F r ; 

• A((gi,...,gi,...,g r ),a;)) = 

(A 1 (q 1 ,x), . . . ,qi 



,q r ) ifxeXi 



(qi,...,Ai(qi,x),...,q r ) if x € X z 



(qi 



, A r (q r ,x)) if x e X r 



We call this automaton a shuffling automaton of Li, L%, . . . , L r 

Now let £i(k) be the number of words of length k belonging 
to the language Li. If the Xi's are pairwise disjoint, then 
the number of words of length n belonging to L is: 



fclH \-k r — n \ 



Now, suppose that, as in the previous section, all the -Li's 
are such that 

li{k) ~ C.Jt (3) 
where d and w; are two constants. Then 



£(n) 



C 



k x +-+kr=n\ L ' ' r 7 



= C1C2 . . . c r (u>\ + u>2 + ■ ■ ■ + u r y 



(4) 



3.2.3 Uniform random generation of words in a reg- 
ular language 
First discussed by Hickey and Cohen [T^]. the method for 
generating words of regular languages has been improved 
and widely generalized by Flajolet and al |I4|. The principle 
of the generation process is simple: Starting from state qo, 
one draws a word step by step; at each step, the process 
consists in choosing a successor of the current state and 
going to it. 

The problem is to proceed in such a way that only (and 
all) words of length n can be generated, and that they are 
equiprobably distributed. This is done by choosing succes- 
sors with suitable probabilities. Given any state s of the 
automaton, let g m (s) denote the number of words of length 
m which connect s to any final state f £ F. Suppose that, 
at any step of the generation, we are on state s which has 
k successors denoted si , s 2 , . ■ ■ , Sfe. In addition, suppose 
that m > transition remain to be done in order to get 
a word of length n. Then the condition for uniformity is 
that the probability of choosing state Si (1 < i < k) equals 
g„ l -i(si)/g rn (s). In other words, the probability to go to 
any successor of s must be proportional to the number of 
words of suitable length from this successor to any /. 

So there is a need to compute the numbers <?;(s) for any 
< i < n and any state s of the automaton. This can be 
done by using the following recurrence relations: 

go(s) = 1 ifsGF 

= otherwise (5) 

mi s ) = E s ^s' 9i-i(s') fori>0 

where s — > s' means that there exists an letter x £ X such 
as (s, x, s') £ A. 

Now the generation scheme is as follows: 



• Preprocessing stage: Compute a table of the gi(s)'s for 
all < i < n and all states. 

• Generation stage: Draw the word according to the 
scheme seen above. 

Note that the preprocessing stage must be done only once, 
whatever the number of words to be generated. Easy com- 
putations show that the memory space requirement is nx \ Q\ 
integer numbers, where \Q\ stands for the number of states 
in the automaton. The number of arithmetic operations 
needed for the preprocessing stage, as well as for the gener- 
ation stage, is linear in n. 

3.3 Generating traces of a system of modules 
without synchronisation. 

Here we focus on the problem of uniformly (that is equiprob- 
ably) generating traces of a given length n in a system of r 
reactive modules. In a first step, we consider that there is 
no synchronisation between the r reactive modules Mi. 

Each one is represented by a finite state automaton Ai = 
(Xi,Qi, q® , Ft, At) . As stated in Section 13.11 each of the 
Ai's defines a regular language Li whose words correspond 
to the traces within the corresponding module. Since there 
is no synchronisation in the system, clearly there is a one-to- 
one correspondence between the set of traces of the system 
and the words of L = L\ LL1L2LU ...\uL r . Thus the problem 
reduces to uniformly generating words of length n in L. We 
present two different approaches for this problem and we 
discuss their complexity issues. 

3. 3. 1 Brute force method 

This first approach consists in constructing the shuffling 
automaton that has been defined in Section Then the 

classical algorithms for randomly generating words of a reg- 
ular language can be processed, as described in Section r3.2.3l 

Let Ci = £ <i<r Card(X0 and C* 2 = IIo<i<r Card(Qi). 
The worst-case complexities of the two main steps of the 
algorithm are the following. 

1. Constructing the automaton: This step is performed 
only once, whatever the number of traces to be gen- 
erated. Its worst-case complexity is C\Ci in time and 
space requirements. 

2. Generating traces: Using classical algorithms, gener- 
ating one word requires nCi time requirement, after a 
preprocessing stage having worst-case complexity nCi C2 
in time and space. This preprocessing stage is per- 
formed once, whatever the number of traces to be gen- 
erated. 

Hence the worst case complexity for generating m traces of 
length n is 0{nC\Ci + mnCi) in time and OinCxCz) in 
space. This is linear in n, in rn, in the total size of the 
alphabets. Since C2 = Ilo<i<r Card(Qi), the complexity 
is exponential according to the number of modules. Thus 
the algorithm will be efficient only for a small number of 
modules. 

3.3.2 "On line" shuffling method 

Here we describe an alternative method which avoids con- 
structing the above automaton. We recall that £i(k) is the 
number of words of length k belonging to the language Li, 
and £(k) is the number of words of length k belonging to the 



language L. The method consists first in choosing at ran- 
dom, with a suitable probability, the length m of each word 
Wi of Li which will contribute to the word w of L to be gen- 
erated. Then each u>i is generated independently. Finally, 
the shuffle operation is processed. We detail the method 
just below. 

1. Choose at random a r-uple (ni , . . . , n r ) with probabil- 
ity Pr(ni , . . . , n r ) such that 

, U,. n .,JMm)..XK) , . 
> nr) = (6) 



Pr(m, 



2. For each < i < r, draw uniformly a random word 
un of length m in Li , using the classical algorithm for 
generating words of a regular language. 

3. Shuffle the r words. This can be done with the follow- 
ing algorithm: 



Shuffling r words 

Input: r words wi, . ■ ■ , w r , of length ni, ■ ■ ■ , n r 
Output: word w of length n = £\ n, and drawn uniformly 
among the set of shuffles of wi, . . . , w r - 

w <— £ 

while n > do 

choose an integer i between 1 and r with probability 21 
add the first letter of Wi at the end of w 
remove the first letter of Wi 
Hi <— Ui - 1 
n <— n — 1 



The word w has been generated equiprobably among all 
the words of L of length n. Regarding complexity issues, 
clearly the complexity of step 3 is linear in n. The complex- 
ity of step 2 is linear in n, in the maximum of Card(X;) and 
in the maximum of Card(Qi), in time as well as in space re- 
quirements. The main contribution to the total worst-case 
time complexity is the computation of the suitable proba- 
bilities by Formula @. The space requirement is O(l) but 
the number of terms in £(n) is exponential in n. However, 
if the Li's satisfy the hypothesis of Formula then, by 
Formula @: 



Pr(m, 



(il>l + LU2 + ■ ■ ■ + U r 



(7) 



There is an easy algorithm for choosing ni , . . . , n r with this 
probability without computing it: take the set of integers 
{1, . . . , r} and draw a random sequence by picking indepen- 
dently n numbers in this set in such a way that the proba- 



bility to choose i is Pr(z) 



Then take m as 



the number of occurrences of 1 in this sequence. 

Well, one could argue that Formula |Q only provides an 
asymptotic approximation of Pr(ni, . . . ,n r ) as n tends to 
infinity. However, as noticed in Section f3. 21 the rate of con- 
vergence is exponential, so Formula Q is precise enough 
even for rather small n. And for really small n (at least 
when n < Ni in Formula Q), Pr(m, . . . , n r ) can be com- 
puted exactly by Formulas and @. 

In conclusion, for any large enough n, the algorithm gen- 
erates traces of length n almost uniformly at random. Its 
overall complexity is linear according to n, to the maximum 
of Card(Ai) and to the maximum of Card(Qi), in time as 
well as in space requirements. 



3.4 Generating traces in presence of synchro- 
nisation. 

Now we suppose that each module contains exactly one 
synchronised transition, denoted a. Thus, in the global sys- 
tem all modules must take a at the same time. 

Let Ai, . . . , A r be r automata, with alphabets Xi , . . . , Xr, 
all containing a common synchronisation symbol a, such 
that 

£ 1 . . . r,i ^ j, Xi (~) Xj = {a}. 

Let Si, . . . , S r be the respective languages recognised by 
A\, . . . ,A r . Here, any trace can be represented by a word 
belonging to the language S defined as follows: S is the set 
of words w £ Xi U . . . U X r such that 

W — WoCtWlOt . . . Wm-lCtWm 

where the projection of w onto any Xi belongs to S%. The 
number m is the number of synchronisations during the pro- 
cess: each of the projections contains exactly m letters a 
(and, equivalently, there is no a in any of the u>i.) 

3.4.1 Again the brute force approach. 

Here the approach consists in constructing the synchro- 
nised product of A\, A%, . . . , A r , as follows. Let Xi, a = Xi \ 
{a}. The synchronised product [S] of Ay, A2, ■ ■ . , A r with 
{a} as synchronisation set is the finite automaton A =< 
X,Q,qo,F,5 >, where 

• I = IiUl 2 U...Ul r ; 

• Q = Qi x Q 2 x ... x Q r ; 

• go = (<7?,<?2, • • • ,q°y, 

• F = Fi x F 2 x . . . x F r ; 

• 8 is as follows: 

A((gi, . ..,<?,,.. .,q r ),x)) = 

(Ai(gi,a;), . . . ,q % ,. . . , q r ) if x G Xi <a , 

(qi, . . . , A l (q l ,x), . . . ,q r ) if x € X ijCC , 

(qi, . . . , qi, . . . , A r (q r ,x)) if a; e X Tt<x . 

A((gi, . .. ,q t ,.. .,q r ),a)) = 

5i(gi,a), . . .,5i(qi,a), . . .,8 r (q r ,a)) 

This automaton accepts the language S of synchronised traces. 
Once it has been built, the generation process is exactly as 
in Section r3.3.1l with the same time and space requirements. 

3.4.2 "On line " generation of synchronised traces 

Here we sketch an algorithm for almost uniformly gener- 
ating random synchronised traces of length n, avoiding the 
construction of the synchronised product. The approach is 
similar to the one we described in Section 13.3.21 although 
we must be more careful because of the synchronisations. 
Given that each automaton Ai contains a unique transition 
labeled by a (the synchronised transition), let q^i and (ft, 2 
be the states just before and juste after this transition, re- 
spectively. Now let us define, for each Si, the four following 
languages: 



• The beginning language: Bi is the set of words corre- 
sponding to the paths which start at the initial state 
of Ai, which do not cross the a transition, and which 
stop at 

• The central language: d is the set of words corre- 
sponding to the paths which start at 5^2, which do 
not cross the a transition, and which stop at qi : \. 

• The ending language: Ei is the set of words corre- 
sponding to the paths which start at 5^2, which do 
not cross the a transition, and which stop anywhere. 

• The non- synchronised language: Ti is the set of words 
which start at the initial state of Ai, which never cross 
the a transition, and which stop anywhere. 

For any i, the language Si can be defined according to Bi, 
d, E, and Ti: 

Si = Bi.{a.CiY .a.Ei U T t . 

Thus, if we define B = i_i_f = i-Bi (resp. C — ixf^iCi, E = 
LUjUi-Ej, and T = m^iTi), we have: 



S = B.(a.C'y.a.E U T. 



(8) 



Now let s(n) (resp. Sj(n), b(n), fei(n), c(n), d(n), e(n), 
ej(n), t(n), U(n)) be the number of words of length n in 
S (resp. Si, B, Bi, C, d, E, Ei, T, Ti). Additionally, 
let s(n,m) be the number of words of S of length n which 
contain a exactly m times. Let w be one of these words. 

If m > 0, then w writes w — Wo-a.Wi.a a.w m where 

wo £ B , u>i G C for any 1 < i < m, and w m g E. Finally, 
let s(n, m, io,i m ) be the number of such words such that the 
length of wo equals io and the length of w m equals i m - Then 
we have 



where 



s(n) 



t(n) 



if m = 0, 



s(n, m) 



s(n,m,io,im) otherwise. 



(9) 



(10) 



and, for m > 0, 
s(n, m, i , i m ) = b(i )e(i m ) ^c(ii)c(i 2 ) . . . c(i m _i) . (11) 



zi + ...+i m _l 



n — m — 2n —tn 



Now suppose that all the the Bi's, the CVs, the Ei's and 
the T's satisfy Formula iJSJ, that is: 



bi(k) r 


Gb,i^b,i 


<H(k) ' 


~J C c ,il^c,i 


ei(k) r 


C<e,iW e> i 




Ct,iUt,i 



Then, similarly to Formula @, we have: 



b(k) r 


" Ct.i ■ 


• ■ Cb,r{t*>b,\ + • 


■ ■ + ^b,r) k , 


(12) 


C (k) r 


C c ,l ■ 


■ • C c ,r(j^c,l ~\~ • 


■ ■ + Uc,r) k , 


(13) 


e{k) - 


Ce.,1 ■ 


• • O e ,r{^e,l + • 


■ ■ + ^e,r) fe , 


(14) 


t(k) r 


- c M .. 


. . Ct,r(<JJt,l + ■ ■ 


■ + Ut,r) k ■ 


(15) 



Consequently, for m > 0, 
s(n,m,io,i m ) ~ 



■ C e 



(Cfc,l • ■ • Cb,r)(Cc,l ■ ■ ■ Cc,r) m (C e ,l . . • > , ,1 
(tJb,l + . . . + W(,, r )' 
(w Cj l + . . . + W e ,r; 
(W e> i + . . . + W e , r 



(16) 



n — m — %n — i n 



Note that computing s(n,m,io,i m ) requires 0(nr) arith- 
metic operations. 

Now we can sketch the algorithm for generating a trace of 
length n. 

1. Using Formula I16L compute s(n, m,io,i m ) for all m 
such that 1 < m < n and for all pairs (io,i m ) such 
that < io + i m < n — m. This requires 0(n 3 x rn) — 
0(rn 4 ) arithmetic operations. Then compute s(n,m) 
for all m such that 1 < m < n, using Formula 1101 
and, additionally, Formula 1151 when m = 0. Finally 
compute s(n) by Formula It is worth noticing that 
this preliminary stage has to be done only once, what- 
ever the number of traces of length n to be generated. 
Its overall arithmetic complexity is 0(rn 4 ). 

2. Choose m, the number of synchronisations, with prob- 
ability 



Pr(m) = 



s(n, m) 
s(n) 



Computing these probabilities requires O(n) arithmetic 
operations in the worst case. 

3. If m = 0, then generate uniformly at random a word 
of length n in T, with the same algorithm as in Sec- 
tion 

4. If m > 0, then: 

(a) Choose the length of wq and the length of w m by 
picking at random a pair (io, im) with probability 



Pr(io,«m) 



s(n, m, io, i m ) 



£fe 0+ m fc m =o s ( n > m > fc o>M 



Computing these probabilities requires 0(n 2 ) arith- 
metic operations in the worst case. 

(b) Choose the lengths of wi, W2, ■ ■ ■ , TOm-i by pick- 
ing at random a (m— l)-uple (ii, z'2, . . . i m -x) with 
probability 

c(ii)c(i 2 ) . . . c(i m _i) 



Pr(*i,. 



J2 P c(fci)c(fc 2 ) . . . c(fc m _i) 



where P stands for: 

ki + k2 + ■ ■ ■ + fcm-i = n — m — io — i r , 
Using Formula l|13|l . this reduces to 

1 



Pr(ii,. 



.!m-l ~ 



(n — 2 — iQ —ir, 
\ m-2 



(17) 



and, similarly to Section 13.3.21 there is a simple 
algorithm for picking (ii,ia, ■ • -im-i) at random 
with this probability. This algorithm is linear ac- 
cording to n and m. The algorithm and the proof 
of Formula I17H are given in Appendix 2. 



(c) Now we have got the whole sequence (io,h, ■■■,i m ) 
with a suitable probability. It remains to gener- 
ate the words wo £ B, w\, W2, ■ ■ ■ , w m -i 6 C 
and w m £ E, each Wk having length it- Each of 
these words is simply a shuffle of the r languages 
(Bi)i=i... r if k = 0, (Ci)i=i... r if 1 < k < m, 
(Ei)i = i... r if k = m. For each of the lOfc's, the 
shuffling algorithm given in Section 13351 can be 
used. 

As remarked above, the first step of the algorithm, in 
0(rn 4 ) operations, has to be done only once. After that, the 
overall complexity of generating any random trace of length 
n is quadratic according to n. And, as in Section [3.3.21 it 
is linear according to the maximum of Card(Xi) and to the 
maximum of Card(Qi), in time as well as in space require- 
ments. Thus we have defined an efficient way for approx- 
imating the uniform coverage in presence of one synchon- 
isation for any sufficiently large n. The case where there 
are several synchronisations labelled by different symbols is 
more complex but we think it can be addressed with similar 
techniques and simplifications. This is the subject of some 
ongoing work. 

4. CONCLUSION AND PERSPECTIVES 

One of the main interest of classical random walk is that 
it can be performed on large models with a local knowledge 
only. However, it presents some drawbacks, mainly related 
to the difficulty to estimate, without analysing the global 
topology, the test coverage for a given number of random 
walk of some given lengths. In Section 2, we have shown 
how it is possible to approximate it via a randomised ap- 
proximation scheme. 

In the rest of the paper we have described how to per- 
form globally uniform random walks in very large models 
described as sets of concurrent, smaller, models. By glob- 
ally uniform random walk, we mean that the choice of the 
successor at every step is biased in such a way that all traces 
of the global model have equal probability to be traversed. 

A brute force approach is to count the number of paths of 
the desired length starting from each successor and to adjust 
its probability accordingly. This is feasible via techniques 
for counting and drawing uniformly random combinatorial 
structures. However, the complexity of this approach is lin- 
ear in the number of states of the considered model. This 
makes it feasible for moderately-sized models only. 

Then, we have shown how to use local uniform drawings 
to build globally uniform random walks, with a complexity 
that is linear in the size of the biggest component model. 
We use an estimation of the number of words, but as soon 
as the length of the random walks is sufficient, it is a very 
good approximation as seen in 3.2 (formulas (1) and (2)). 

This method can be used for random testing, model check- 
ing, or simulation of protocols that involve many distributed 
entities, as it is often the case in practice. It ensures a bal- 
anced coverage of all behaviours, even if the topology of the 
underlying model is irregular. 

This work is a first step only. First, we plan a campaign 
of experiments of the method and of some variants of it. For 
instance, instead of uniform coverage of traces, it is possible 
to consider uniform coverage of states, or of transitions as 
it is done in |11| for testing C programs. 



Moreover, results on counting and generating combinato- 
rial structures are not limited to words of regular languages. 
They open numerous perspectives in the area of random 
testing. A possibility that is worth to explore is the test 
of non deterministic systems via uniform generation of tree- 
like behaviours, i.e. some notion of adaptive random walk 
inspired from the classical notion of adaptive checking se- 
quences [22] • It would be also interesting to study how the 
approach presented here for descriptions by reactive mod- 
ules could be transposed to other succinct representations 
of large models such as OBDD, symmetry reduction, etc. 
Acknowledgement. We thank Radu Grosu for interesting 
discussions that have motivated this work. 

5. ADDITIONAL AUTHORS 

The RaST group (Random Software Testing) is composed 

of: 

• Alain Denise - alain.denise@lri.fr 

LRI, Universite Paris-Sud, UMR CNRS 8623. 

• Marie-Claude Gaudel - mcg@lri.fr 

LRI, Universite Paris-Sud, UMR CNRS 8623. 

• Sandrine-Dominique Gouraud - gouraud@lri.fr 
LRI, Universite Paris-Sud, UMR CNRS 8623. 

• Richard Lassaigne - lassaign@logique.jussieu.fr 
Equipe de Logique Mathematique, Universite Paris 
VII, UMR CNRS 7056. 

• Sylvain Peyronnet - syp@lrde.epita.fr 
LRDE/EPITA and Equipe de Logique Mathematique, 
UMR CNRS 7056, Universite Paris VII. 

6. REFERENCES 

[1] D. Aldous, An introduction to covering problems for 
random walks on graphs, J. Theoret Probab. 4 (1991), 
197-211. 

[2] R. Alur, L. de Alfaro, Radu Grosu, T. A. Henzinger, 
M. Kang, C. M. Kirsch, R. Majumdar, F.Y.C. Mang, 
B-Y. Wang, jMocha: A model-checking tool that 
exploits design structure. In Proceedings of the 23rd 
Annual International Conference on Software 
Engineering (ICSE), IEEE Computer Society Press, 
2001, pp. 835-836. 

[3] R. Alur and T. A. Henzinger. Reactive modules. Formal 
Methods in System Design, vol. 15, pages 7-48, 1999. 

[4] R. Alur, T. A. Henzinger, F.Y.C. Mang, S. Qadeer, S. 
K. Rajamani, and S. Tasiran. Mocha: Modularity in 
model checking. In Proceedings of the Tenth 
International Conference on Computer- Aided 
Verification (CAV), Lecture Notes in Computer Science 
1427, Springer- Verlag, 1998, pp. 521-525. 

[5] APMC Website, http://apmc.berbiqui.org 

[6] A. Arnold, Finite Transition Systems, Prentice-Hall, 
1994. 

[7] J. Berstel and C. Reutenauer, Rational series and their 

languages, Springer- Verlag, 1987. 
[8] E. Brinksma and J. Tretmans. Testing Transition 

Systems, an annotated bibliography, volume 2067 of 

LNCS, pages 187-195, 2001. 



[9] A. Cavalli and D. Lee and C. Rinderknecht and F. 
Zaidi, HIT-OR-JUMP: an Algorithm for Embedded 
Testing with Applications to IN Services, in Proc. 
FORTE/PSTV, 1999. 

[10] A. Demaille, T. Herault and S. Peyronnet. 

Probabilistic verification of sensor networks. In Proc. of 
the RIVF 2006 conference, IEEE region X, 2006. 

[11] A. Denise, M.-C. Gaudel et S.-D. Gouraud. A Generic 
Method for Statistical Testing, In Fifteenth IEEE 
International Symposium on Software Reliability 
Engineering (ISSRE), pages 25-34, november 2004. 

[12] M. Duflot, L. Fribourg, T. Herault, R. Lassaigne, F. 
Magniette, S. Messika, S. Peyronnet and C. Picaronny. 
Probabilistic model checking of the CSMA/CD 
protocol using PRISM and APMC. In Proc. 4th Int. 
Workshop on Automated Verification of Critical 
Systems (AVoCS 2004), London, UK, Electronic Notes 
in Theor. Comp. Sci., 2004. 

[13] Ph. Flajolet and R. Sedgewick. Analytic 

combinatorics: functional equations, rational, and 
algebraic functions, INRIA Research Report RR4103 
January 2001, 98 pages. Part of the book project 

"Analytic Combinatorics" . 

http:/ /algo. inria.fr/flajolet/Publications/books. html 

[14] Ph. Flajolet and P. Zimmermann and B. Van Cutsem. 
A Calculus for the Random Generation of Labelled 
Combinatorial Structures, Theoretical Computer 
Science, vol. 132, 1994, pages 1-35. 

[15] S.-D. Gouraud, A. Denise, M.-C. Gaudel et B. Marre. 
A New Way of Automating Statistical Testing 
Methods, In Sixteenth IEEE International Conference 
on Automated Software Engineering ( ASE) , IEEE 
Computer Society Press, pages 5-12, november 2001. 

[16] R. Grosu and S. A. Smolka. Monte Carlo Model 
Checking. In Proc. of Tools and Algorithms for 
Construction and Analysis of Systems (TACAS 2005), 
volume 3440 of LNCS, pages 271-286. Springer, 2005. 

[17] G. Guirado, T. Herault, R. Lassaigne and S. 
Peyronnet. Distribution, approximation and 
probabilistic model checking. 4th Parallel and 
Distributed Methods in Verification (PDMC 05). 
Electronic Notes in Theor. Comp. Sci., 2005. 

[18] T. Herault, R. Lassaigne, F. Magniette and S. 

Peyronnet. Approximate Probabilistic Model Checking. 
In Proceedings of Fifth International VMCAI'04, 
LNCS, 2937:73-84, 2004. 

[19] T. Hickey and J. Cohen. Uniform Random Generation 
of Strings in a Context-Free Language, SIAM. J. 
Comput, vol. 12(4), pages 645-655, 1983 

[20] W. Hoeffding. Probability inequalities for sums of 
bounded random variables. Journal of the American 
Statistical Association, 58:13-30, 1963. 

[21] P. R. James and M. Endler and M.-C. Gaudel. 

Development of an Atomic Broadcast Protocol using 
LOTOS, Software Practice and Experience, vol. 29(8), 
pages 699-719, 1999. 

[22] M. Jerrum and A. Sinclair. The Markov chain Monte 
Carlo method: an approach to approximate counting 
and integration. Approximation Algorithms for 
NP-hard Problems, D.S.Hochbaum ed., PWS 
Publishing, Boston, 1996. 

[23] R.M. Karp, M. Luby and N. Madras. Monte-Carlo 



algorithms for enumeration and reliability problems. 
Journal of Algorithms, 10:429-448, 1989. 

[24] M. Kwiatkowska, G. Norman and D. Parker. 

Probabilistic Symbolic Model Checking with PRISM: A 
Hybrid Approach. In Proc. TACAS'02, volume 2280 of 
LNCS, pages 52-66, Springer- Verlag. April 2002. 

[25] R. Lassaigne and S. Peyronnet. Probabilistic 

verification and approximation. In Proc. of the 12th 
Workshop on Logic, Language, Information and 
Computation (Wollic 05). Electr. Notes Theor. 
Comput. Sci. 143: 101-114 (2006). 

[26] D. Lee and K. K. Sabnani and D. M. Kristol and S. 
Paul, Conformance Testing of Protocols Specified as 
Communicating Finite State Machines - a Guided 
Random Walk Based Approach. IEEE Trans, on 
Communications, vol. 44-5, pages 631- 640, 1996. 

[27] D. Lee and M. Yannakakis. Principles and methods of 
Testing Finite State Machines a survey. The 
Proceedings of IEEE, 84(8), pages 1089-1123, 1996. 

[28] M. Mihail and C. H. Papadimitriou. On the random 
walk method for protocol testing. In Proc. 
Computer- Aided Verification (CAV 1994), volume 818 
of LNCS, pages 132-141, 1994. 

[29] PRISM Website, http://cs.bham.ac.uk/~dxp/prism 

[30] R. Pelanek, T. Hanil, I. Aerna, L. Brim, Enhancing 
random walk state space exploration, 10th 
international workshop on Formal methods for 
industrial critical systems, Lisbon, 2005 

[31] H. Sivaraj and G. Gopalakrishnan. Random walk 
based heuristic algorithms for distributed memory 
model checking. In Proc. of Parallel and Distributed 
Model Checking (PDMC'03), volume 89 of ENTCS, 
2003. 

[32] N. M. Thiery. Mupad-combinat algebraic 

combinatorics package for MUPAD. 

http : //mupad-combinat . sourcef orge . net/ 
[33] C. H. West. Protocol Validation in Complex Systems, 

ACM SIGCOMM Computer Communication Review, 

vol. 19, no. 4, pages 303-312, 1989. 

Appendix 1: Counting words of rational lan- 
guages 

Let L be a language on an alphabet X, and, for n > 0, let 
£(n) be the number of words of L of length n. The generating 
series of L is defined as : 

/(*) = • 

n>0 

This is a formal power series of one variable z where the 
coefficient of z n equals the number of words of length n in 
L. According to well-known results (see e.g. [7|), if L is a 
regular language, then its generating series can be expressed 
as a rational function 



/(*) = 



D{z) 



where N and D are two polynomials with integer coeffi- 
cients. This function is a solution of a system of m linear 
equations, where m is the number of states of a deterministic 
automaton which recognises L. 

The number of words of size n mainly depends on the 
poles of f(z), that is on the roots of its denominator D(z) 



(see e.g. ^| Theorem 8.1]). Precisely, let ai, «2, • ■ • , otk the 
poles of f(z) and let w< = 1/a; for any i. Then there exist 
an integer N ly and k polynomials -Ri(n), 7?2(n), . . ., Rk(n) 
such that 



n > Ni 



t{n) 



J2Rj(n)oj™. 



(18) 



where the degree of any Rj equals the multiplicity of its 
corresponding pole ctj, minus 1. 

As a corollary of the Perron- Frobenius Theorem |13l The- 
orem 8.5 and Corollary 8.1], if the automaton of L statistics 
some conditions (see below), then its generating series has 
an unique dominant pole, that is there exists i such that 
| a* | < \ctj\ for any j ^ i, and this pole has multiplicity 1. 
Hence Rj(n) has degree zero, say Rj(n) 
constant. Thus we have, asymptotically, 

i{n) ~ Cu>?. 



C where C is a 



(19) 

A sufficient condition for the above formula to hold is: the 
automaton is strongly connected and aperiodic. However, 
as noticed in Section 13.2.11 there are a number of weaker 
conditions which imply it. 

Appendix 2: Proof of Formula (IT71 and related 
algorithm 

We have 

Pr(ii, . . .i m -i) = 



c(ii)c(i 2 ) . . . c(i m -i) 

J2 P c(fci)c(fc 2 ) . . . c(fcm-i) 



where P stands for: 

ki + k 2 H h fcm-i = n - m - i — i„ 

By Formula 1131 this leads to 



Pr(ii, . . .im-i) 



(U c ,l + . . . + LO c>r ) 



n — m — ZQ —Zn 



1 



The denominator equals the number of distinct ways to 
choose (fa, fa, • • • , k m -i) in such a way that they sum to 
n—m—io—im- This means that the sequence (ii, 12, ■ • ■ im—i) 
is to be picked uniformly among all sequences such that 

ki + fa H h km-i = n — m — i — i m - 

Let Q = n — m~io~im and q = m — 1. The number 
of ways to choose q numbers greater or equal to zero that 
sum to Q equals C^^ 1 ) , for any positive integers Q and q. 
Hence 



1 



Pr(ii 



This proves Formula 117H . 

Additionally, there is an easy algorithm to generate uni- 
formly at random q numbers ii, i%, . . . , i q > that sum to 
Q: pick uniformly at random q — 1 numbers ji, J2, • • • ,jq-i 
between 1 and Q + q, then set i\ — ji — 1, i 2 = ji — ji — 1, 
. . ., i q -i = jg-x - j q -2 — 1, i q = Q — jq-i. Clearly, this 
simple algorithm is linear according to Q and q, hence to n 
and m. 



